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-Abstract- 

A dynamic program, as introduced by Patnaik and Immerman (1994), maintains the result of a 
fixed query for an input database which is subject to tuple insertions and deletions. It can use 
an auxiliary database whose relations are updated via first-order formulas upon modifications of 
the input database. 

This paper studies static analysis problems for dynamic programs and investigates, more 
specifically, the decidability of the following three questions. Is the answer relation of a given 
dynamic program always empty? Does a program actually maintain a query? Is the content 
of auxiliary relations independent of the modification sequence that lead to an input database? 
In general, all these problems can easily be seen to be undecidable for full first-order programs. 
Therefore the paper aims at pinpointing the exact decidability borderline for programs with 
restricted arity (of the input and/or auxiliary database) and restricted quantification. 
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1 Introduction 

In modern database scenarios data is subject to frequent changes. In order to avoid costly 
re-computation of queries from scratch after each small modification of the data, one can try 
to use previously computed auxiliary data. This auxiliary data then needs to be updated 
dynamically whenever the database changes. 

The descriptive dynamic complexity framework (short: dynamic complexity) by Patnaik 
and Immerman m models this setting from a declarative perspective. It was mainly inspired 
by updates in relational databases. Within this framework, for a relational database subject 
to change, a dynamic program maintains auxiliary relations with the intention to help 
answering a query Q. When a modification to the database, that is an insertion or deletion 
of a tuple, occurs, every auxiliary relation is updated through a first-order update formula 
(or, equivalently, through a core SQL query) that can refer to the database as well as to 
the auxiliary relations. The result of Q is, at every time, represented by some distinguished 
auxiliary relation. The class of all queries maintainable by dynamic programs with first-order 
update formulas is called DynFO and we refer to such programs as DYNFO-programs. We 
note that shortly before the work of Patnaik and Immerman, the declarative approach was 
independently formalized in a similar way by Dong, Su and Topor [7] . 
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Static Analysis for Logic-Based Dynamic Programs 


The main question studied in Dynamic Complexity has been which queries that are not 
statically expressible in first-order logic (and therefore not in Core SQL), can be maintained 
by DYNFO-programs. Recently, it has been shown that the Reachability query, a very 
natural such query, can be maintained by DynFO programs [2]. Altogether, research in 
Dynamic Complexity succeeded in proving that many non-FO queries are maintainable in 
DynFO. These results and their underlying techniques yield many interesting insights into 
the the nature of Dynamic Complexity. 

However, to complete the understanding of Dynamic Complexity, it would be desirable to 
complement these techniques by methods for proving that certain queries are not maintainable 
by DynFO programs. But the state of the art with respect to inexpressibility results is much 
less favorable: at this point, no general techniques for showing that a query is not expressible 
in DynFO are available. In order to get a better overall picture of Dynamic Complexity in 
general and to develop methods for inexpressibility proofs in particular, various restrictions 
of DynFO have been studied, based on, e.g., arity restrictions for the auxiliary relations 
MIS, fragments of first-order logic [HIH2IESES , or by other means {51 US- 

At the heart of our difficulties to prove inexpressibility results in Dynamic Complexity is 
our limited understanding of what dynamic programs with or without restrictions “can do” in 
general, and our limited ability to analyze what a particular dynamic program at hand “does”. 
In this paper, we initiate a systematic study of the “analyzability” of dynamic programs. 
Static analysis of queries has a long tradition in Database Theory and we follow this tradition 
by first studying the emptiness problem for dynamic programs, that is the question, whether 
there exists an initial database and a modification sequence that is accepted by a given 
dynamic program)]] Given the well-known undecidability of the finite satisfiability problem for 
first-order logic [22] . it is not surprising that emptiness of DynFO programs is undecidable 
in general. However, we try to pinpoint the borderline of undecidability for fragments of 
DynFO based on restrictions of the arity of input relations, the arity of auxiliary relations 
and for the class DynProp of programs with quantifier-free update formulas. 

In the fragments where undecidability of emptiness does not directly follow from undecid¬ 
ability of satisfiability in the corresponding fragment of first-order logic, our undecidability 
proofs make use of dynamic programs whose query answer might not only depend on the 
database yielded by a certain modification sequence, but also on the sequence itself, that 
is, on the order in which tuples are inserted or (even) deleted. From a useful dynamic 
program one would, of course, expect that it is consistent in the sense that its query answer 
always only depends on the current database, but not on the specific modification sequence 
by which it has been obtained. It turns out that the emptiness problem for consistent 
programs is easier than the general emptiness problem for dynamic programs. More precisely, 
there are fragments of DynFO, for which an algorithm can decide emptiness for dynamic 
programs that come with a “consistency guarantee”, but for which the emptiness problem is 
undecidable, in general. However, it turns out that the combination of a consistency test 
with an emptiness test for consistent programs does not gain any advantage over “direct” 
emptiness tests, since the consistency problem turns out to be as difficult as the general 
emptiness problem. 

Finally, we study a property that many dynamic programs in the literature share: they 
are history independent in the sense that all auxiliary relations always only depend on the 


1 The exact framework will be defined in Section [d] but we already mention that we will consider the 
setting in which databases are initially empty and the auxiliary relations are defined by first-order 
formulas. 
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Emptiness 

Consistency 

Emptiness for 
consistent programs 

History 

Independence 

Undecidable 

DYNFO(l-in, 0-aux) 
DYNPROP(2-in, 0-aux) 
DYNPROP(l-in, 2-aux) 

DynFO (1-in, 2-aux) 
DYNFO(2-in, 0-aux) 

DynFO (2-in, 0-aux) 

Decidable 

DYNPROP(l-in, 1-aux) 

DYNFO(l-in, 1-aux) 
DYNPROP(l-in) 
DYNPROP(l-aux) 

DYNFO(l-in) 

DYNPROP(l-aux) 

Open 


DynProp (2-in, 2-aux) 
and beyond 

DynProp (2-in, 2-aux) 
and beyond 


Table 1 Summary of the results of this paper. DYNFO(Cin, m-aux) stands for DYNFO-programs 
with (at most) Cary input relations and m -ary auxiliary relations. DynFO( m-aux) and DynFO (Cin) 
represent programs with m-ary auxiliary relations (and arbitrary input relations) and programs 
with Cary input relations, respectively. Likewise for DynProp. 


current (input) database. History independence can be seen as a strong form of consistency 
in that it not only requires the query relation, but all auxiliary relations to be determined by 
the input database. History independent dynamic programs (also called memoryless (21j or 
deterministic 0) are still expressive enough to maintain interesting queries like undirected 
reachability m ■ But also some inexpressibility proofs have been found for such programs 
0 uni ize]- We study the history independence problem , that is, whether a given dynamic 
program is history independent. In a nutshell, the history independence problem is the 
“easiest” of the static analysis problems considered in this paper. 

Our results, summarized in Table [1] shed light on the borderline between decidable and 
undecidable fragments of DynFO with respect to emptiness (and consistency), emptiness for 
consistent programs and history independence. While the picture is quite complete for the 
emptiness problem for general dynamic programs, for some fragments of DynProp there 
remain open questions regarding the emptiness problem for consistent dynamic programs 
and the history-independence problem. Some of the results shown in this paper have been 
already presented in the master thesis of Nils Vortmeier [23]. 


Outline We recall some basic definitions in Section [2] and introduce the formal setting 
in Section [3] The emptiness problem is defined and studied in Section [4] where we first 
consider general dynamic programs (Subsection |4.1| ) and then consistent dynamic programs 
(Subsection 4.2). In Subsection |4.3| we briefly discuss the impact of built-in orders to the 


results. The Consistency and History Independence problems are studied in Sections [5] and 
[6] respectively. We conclude in Section [7] 


2 Preliminaries 

We presume that the reader is familiar with basic notions from Finite Model Theory and 
refer to mm for a detailed introduction into this field. We review some basic definitions 
in order to fix notations. 

In this paper, a domain is a non-empty finite set. For tuples a = (ai,..., a*,) and 
b = (bi, ..., be) over some domain D , the (k + £)-tuple obtained by concatenating a and b is 
denoted by (a, b). 
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A (relational) schema is a collection r of relation symbol^ together with an arity function 
Ar : r —► N. A database T> with schema r and domain D is a mapping that assigns to every 
relation symbol R £ r a relation of arity Ar (R) over D. The size of a database , usually 
denoted by n, is the size of its domain. We call a database empty , if all its relations are 
empty. We emphasize that empty databases have non-empty domains. A r-structure S is a 
pair ( D,T) ) where P is a database with schema r and domain D. Often we omit the schema 
when it is clear from the context. 

We write S \= 95 (a) if the first-order formula 95 ( 2 ?) holds in S under the variable assignment 
that maps x to a. The quantifier depth of a first-order formula is the maximal nesting depth 
of quantifiers. The rank-q type of a tuple (on,..., a m ) with respect to a r-structure S is the 
set of all first-order formulas 95 ( 2 : 1 ,..., x m ) (with equality) of quantifier depth at most q , for 
which S |= 95 (a) holds. By S = q S' we denote that two structures S and S' have the same 
rank-q type (of length 0 tuples). 

For a subschema t' C t, the rank-q r'-type of a tuple a in a r-structure S is its rank-q 
type in the r'-reduct of S. 

We refer to the rank-0 type of a tuple also as its atomic type and, since we mostly deal 
with rank-0 types, simply as its type. The equality type of a tuple is the atomic type with 
respect to the empty schema. 

The k-ary type of a tuple a in a structure S is its r<fc-type, where r<^ consists of all 
relation symbols of r with arity at most k. The t' -color of an element a in S , for a subschema 
t' of the schema of <S, is its r(-type, where r[ consists of all unary relation symbols of t' . 
We often enumerate the possible r'-colors as cq, ... ,Cl, for some L with Co being the color 
of elements that are in neither of the unary relations. We call these elements t' -uncolored. If 
t' is clear from the context we simply speak of colors and uncolored elements. 


For a database T> over schema r, a modification S = (o, a) consists of an operation o £ 
{iNSs, DELs | S £ t} and a tuple a of elements from the domain of V. By S(T>) we denote 
the result of applying S to V with the obvious semantics of inserting or deleting the tuple a 
to or from relation S'®. For a sequence a = 61 • • • 6 n of modifications to a database T> we let 
«(®) = 

A dynamic instanc^oi a query Q is a pair (X>, a), where I? is a database over a domain 
D and a is a sequence of modifications to T>. The dynamic query Dyn(Q) yields the result 
of evaluating the query Q on a(V). 

Dynamic programs, to be defined next, consist of an initialization mechanism and an 
update program. The former yields, for every (initial) database T >, an initial state with initial 
auxiliary data. The latter defines the new state of the dynamic program for each possible 
modification 8 . 

A dynamic schema is a pair (Tj n ,T aux ), where T[ n and r aux are the schemas of the input 
database and the auxiliary database, respectively. We call relations over r ln input relations 
and relations over r aux auxiliary relations. If the relations are 0-ary, we also speak of input 
or auxiliary bits. We always let r A r in U r aux . 


3 The dynamic complexity setting 


For simplicity we do not allow constants in this work but note that our results hold for relational 
schemas with constants as well. 

' 5 The following introduction to dynamic descriptive complexity is similar to previous work HUGS]- 
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► Definition 3.1. (Update program) An update program P over a dynamic schema (Ti n ,r aux ) 
is a set of first-order formulas (called update formulas in the following) that contains, for 
every R £ r aux and every o £ {iNSg, dels I S £ Ti n }, an update formula <f>^(x', y) over the 
schema r where x and y have the same arity as S and R, respectively. 

A program state S over dynamic schema (ri n ,T aux ) is a structure (D,I,A) wherc^D 
is a finite domain, I is a database over the input schema (the input database) and A is a 
database over the auxiliary schema (the auxiliary database). 

The semantics of update programs is as follows. For a modification S = (o, a), where a is 
a tuple over D , and program state S = (D,I,A) we denote by Ps(S) the state (D,5(Z),A'), 
where A! consists of relations R A = {b \ S \= b)}. The effect P a {S) of a modification 

sequence a = 5 \... 5n to a state S is the state Ps N (- ■ ■ {Ps 1 (S ))...). 

► Definition 3.2. (Dynamic program) A dynamic program is a triple (P, Init,Pq), where 
h P is an update program over some dynamic schema (T in ,r aux ), 

m Init is a mapping that maps r in -databases to r aux -databases, and 
h Rq £ r aux is a designated query symbol 

A dynamic program V = (P, Init,Pq) maintains a dynamic query Dyn(Q) if, for every 
dynamic instance (T>, a), the query result Q(a(T>)) coincides with the query relation Rq in 
the state S = P a (Si mT (V)), where iSi Nrr (P) = (D, T>, Init(P)) is the initial state for D. If 
the query relation Rq is 0-ary, we often denote this relation as query bit Acc and say that 
V accepts a over D if Acc is true in P a (Si N i T (P)). 

In the following, we write P a (P) instead of P a (Si N1T (V)) and V a (S) insteac0of P a (S) for 
a given dynamic program V = (P, Init, Rq), a modification sequence a, an initial database 
T> and a state S. 

► Definition 3.3. (DynFO and DynProp) DynFO is the class of all dynamic queries 
that can be maintained by dynamic programs with first-order update formulas and first- 
order definable initialization mapping when starting from an initially empty input database. 
DynProp is the subclass of DynFO, where update formulas are quantifier-free^] 

A DYNFO-program is a dynamic program with first-order update formulas, likewise 
a DYNPROP-program is a dynamic program with quantifier-free update formulas. A 
DYNFO(Pin, m-aux)-program is a DYNFO-program over (at most) £-ary input databases that 
uses auxiliary relations of arity at most m\ likewise for DYNPROP(Uin, m.-aux)-programs]^] 

Due to the undecidability of finite satisfiability of first-order logic, the emptiness problem— 
the problem we study first—is undecidable even for DYNFO-programs with only a single 
auxiliary relation (more precisely, with query bit only). Therefore, we restrict our investiga¬ 
tions to fragments of DynFO. Also allowing arbitrary initialization mappings immediately 
yields an undecidable emptiness problem. This is already the case for first-order definable 
initialization mappings for arbitrary initial databases. In the literature classes with various 
restricted and unrestricted initialization mappings have been studied, see [25] for a discussion. 
In this work, in line with m, we allow initialization mappings defined by arbitrary first-order 
formulas, but require that the initial database is empty. Of course, we could have studied 


4 We prefer the notation ( D,I,A ) over ( D,X U A) to emphasize the two components of the overall 
database. 

5 The notational difference is tiny here: we refer to the dynamic program instead of the update program. 

6 We still allow the use of quantifiers for the initialization. 

' We do not consider the case 1 = 0 where databases are pure sets with a fixed number of bits. 
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further restrictions on the power of the initialization formulas, but this would have yielded a 
setting with an additional parameter. 

The following example illustrates a technique to maintain lists with quantifier-free dynamic 
programs, introduced in m Proposition 4.5], which is used in some of our proofs. The 
example itself is from m- 

► Example 3.4. We provide a DYNPROP-program V for the dynamic variant of the Boolean 
query NonEmptySet, where, for a unary relation U subject to insertions and deletions 
of elements, one asks whether U is empty. Of course, this query is trivially expressible in 
first-order logic, but not without quantifiers. 

The program V is over auxiliary schema T aux = {Rq 7 First, Last, List}, where Rq is 
the query bit (i.e. a 0-ary relation symbol), First and Last are unary relation symbols, and 
List is a binary relation symbol. The idea of V is to maintain a list of all elements currently 
in U. The list structure is stored in the binary relation List 5 . The first and last element of 
the list are stored in First 5 and Last 5 , respectively. We note that the order in which the 
elements of U are stored in the list depends on the order in which they are inserted into U . 

For a given instance of NonEmptySet the initialization mapping initializes the auxiliary 
relations accordingly. 

Insertion of a into U. A newly inserted element is attached to the end of the lisi[^] 
Therefore the FiRST-relation does not change except when the first element is inserted into 
an empty set U. Furthermore, the inserted element is the new last element of the list and 
has a connection to the former last element. Finally, after inserting an element into U 7 the 
query result is ’true’: 

^ > ms lST ( a i x ) == (“'-Rq Aa=i)V (Rq A First(x)) 

<p^ T (a;x) = a = x 

0mT( a ; x , y) = List (a;, y) V (Last(;t) A a = y) 

</4 e (a) = T. 

Deletion of a from U. How a deleted element a is removed from the list, depends on 
whether a is the first element of the list, the last element of the list or some other element of 
the list. The query bit remains ’true’, if a was not the first and last element of the list. 

( a ; x ) = (FiRST(a:) Ai/a)V (First(o) A List(o, x)) 

‘(’delu (a; x ) = (Last(:e) A i / a) V (Last(o) A List(x, a)) 

^delu (a; x, y) = x^aAy^aA (List(o; ,y) V (LlST(a:,a) A LiST(a,y))) 

0DE?c(a) = -.(First(o) ALast(o)) m 

In some parts of the paper we will use specific forms of modification sequences. An 
insertion sequence is a modification sequence a = 8± ■ ■ ■ S m whose modifications are pairwise 
distinct insertions. An insertion sequence a over a unary input schema Tj n is in normal form 
if it fulfills the following two conditions. 

(Nl) For each element a, the insertions affecting a form a contiguous subsequence a a of a. We 
say that a a colors a. 

(N2) For all elements a, b that get assigned the same r in -color by a , the projections of the 
subsequences a a and ab to their operations (i.e., their first parameters) are identical. 
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For simplicity we assume that only elements that are not already in U are inserted, the formulas given 
can be extended easily to the general case. Similar assumptions are made whenever necessary. 
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4 The Emptiness Problem 

In this section we define and study the decidability of the emptiness problem for dynamic 
programs in general and for restricted classes of dynamic programs. The emptiness problem 
asks, whether the query relation Rq of a given dynamic program V is always empty, more 
precisely, whether Rq = 0 for every (empty) initial database T> and every modification 
sequence a with S = V a {V). 

To enable a fine-grained analysis, we parameterize the emptiness problem by a class C of 
dynamic programs. 

Problem: Emptiness(C) 

Input: A dynamic program V £ C with FO initialization 
Question: Is Rq = 0, for every initially empty database V and every 

modification sequence a, where S = V a (T > )? 

As mentioned before, undecidability of the emptiness problem for unrestricted dynamic 
programs follows immediately from the undecidability of finite satisfiability of first-order 
logic. 

► Theorem 4.1. Emptiness is undecidable for T)YNFO(2-in,0-aux)-programs. 

Proof. This follows easily from the undecidability of the finite satisfiability problem for 
first-order logic over schemas with at least one binary relation symbol [22] . For a given 
first-order formula if over schema {E} we construct a DYNFO-program V with a single 
binary input relation E and a single 0-ary auxiliary relation Acc as follows. The bit Acc is 
set to true whenever the modified database is a model of <p, and set to false otherwise. 

For correctness, we observe that if <p is not satisfiable then Acc is always false and 
therefore V is empty. On the other hand, if ip is satisfiable, then there is a modification 
sequence a that is accepted by V, so V is non-empty. ◄ 

In the remainder of this section, we will shed some light on the border line between 
decidable and undecidable fragments of DynFO. In Subsection |4.1| we study fragments of 
DynFO obtained by disallowing quantification and/or restricting the arity of input and 
auxiliary relations. In Subsection |4.2[ we consider dynamic programs that come with a 
certain consistency guarantee. 

4.1 Emptiness of general dynamic programs 

In this subsection we study the emptiness problem for various restricted classes of dynamic 
programs. We will see that the problem is basically only decidable if all relations are at most 
unary and no quantification in update formulas is allowed. Figure [T] summarizes the results. 

At first we strengthen the general result from Theorem |4.1| We show that undecidability of 
the emptiness problem for DYNFO-programs holds even for unary input relations and auxiliary 
bits. Furthermore, quantification is not needed to yield undecidability: for DynProp- 
programs, emptiness is undecidable for binary input or auxiliary relations. 

► Theorem 4.2. The emptiness problem is undecidable for 

(a) F)YNFO(l-in,0-aux)-programs, 

(b) DynProp(1-ot, 2- aux)-programs, 

(c) DYNPROP(2-m, 0 -aux)-programs, 
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Figure 1 Decidability of Emptiness for various classes of dynamic programs. 


Proof. In all three cases, the proof is by a reduction from the emptiness problem for 
semi-deterministic 2-counter automata. 

In a nutshell, a counter automaton (short: CA) is a finite automaton that is equipped with 
counters that range over the non-negative integer numbers. A counter c can be incremented 
(inc(c)), decremented (dec(c)) and tested for zero (ifzero(c)). A CA does not read any input 
(i.e., its transitions can be considered to be e-transitions) and in each step it can manipulate 
or test one counter and transit from one state to another state. 

More formally, a CA is tuple (Q, C, A, q i7 F), where Q is a set of states, g, £ Q is the 
initial state, F C Q is the set of accepting states, and C is a finite set (the counters ). The 
transition relation A is a subset of Q x {inc(c),dec(c),ifzero(c) | c £ C} x Q. 

A configuration of a CA is a pair (p, n) where p is a state and n £ N c gives a value n c 
for each counter c in C. A transition (p, inc(c), q) can be applied in state p, transits to state 
q and increments n c by one. A transition (p, dec(c), q) can be applied in state p if n c > 0, 
transits to state q and decrements n c by one. A transition (p, ifzero(c), q) can be applied in 
state p, if n c = 0 and transits to state q. 

A run is a sequence of configurations consistent with A, starting from the initial con¬ 
figuration (qi, 0). A run is accepting , if it ends in some configuration ( qf,n ) with qf £ F. 
A CA is deterministic if A contains for every p £ Q at most one transition (p, 0,g). It is 
semi-deterministic if for every p £ Q there is at most one transition (p, 0, q) in A or there 
are two transitions (p,dec(c), q) and (p,ifzero(c), q'). 

The emptiness problem for counter automata asks whether a given counter automaton 
has an accepting run. It follows from [2111 Theorem 14.1-1] that the emptiness problem for 
semi-deterministic CA with two counters (2CA) is undecidablej^] 

In all three reductions, the dynamic program V is constructed such that for every run 
p of the 2CA A4 there is a modification sequence a = a(p) that lets V simulate p, and 
such that V accepts on input a if and only if p is accepting. More precisely, the state of V 
encodes the state of A4 by auxiliary bits and the counters of A4 in some way that differs in 
the three cases. However, in all cases it holds that not every modification sequence for V 
corresponds to a run of M.. However, V can detect if a does not correspond to a run and 
assume a rejecting sink state as soon as this happens. 

For (a), the two counters are simply represented by two unary relations, such that the 


9 The instruction set from ED] contains the increment instruction and a combined instruction that 
decrements a counter if it is non-zero and jumps to another instruction if it is zero. To simulate the 
latter instruction, we use two transitions (p, dec(c), q) and (p, ifzero(c), q') of which exactly one can be 
applied. 
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number of elements in a relation is the current value of the counter. The test whether 
a counter has value zero thus boils down to testing emptiness of a set and can easily be 
expressed by a formula with quantifiers. 

The lack of quantifiers makes the reductions for (b) and (c) a bit more complicated. In 
both cases, the counters are represented by linked lists, where the number of elements in the 
list corresponds to the counter value (in (c): plus 1). With such a list a counter value zero 
can be detected without quantification. Due to the allowed relation types, the lists are built 
with auxiliary relations in (b) and with input relations in (c). 

In the following, we describe more details of the reductions. 

(a) We construct, from a semi-deterministic 2CA Ad = (Q, {ci, C 2 }, A, qi, F) a Boolean 
DYNFO(l-in, 0-aux)-program V with unary input relations C 1 and C 2 and input bits Z\ and 
Zi such that Ad accepts a sequence 9 of operations if and only if V accepts a corresponding 
sequence a of modifications. 

With a run p of Ad we can associate an input sequence a(p) on a sufficiently large domain 
as follows: each transition of the form (p, inc(cj), q) gives rise to an insertion INSC; (d), for some 
domain value d currently not in GV Likewise, each operation (p,dec(ci), q) corresponds to a 
deletion DEL^ (d). Finally, operations (p, ifzero(c;), q) correspond alternatingly to operations 
INS^O and DEL^Q. 

The semi-determinism of Ad ensures that there is always at most one applicable transition 
and enables the program V to keep track of the state of Ad. The program ensures that only 
applicable transitions are taken. 

The program V has one auxiliary bit R p for every state p of Ad, an “error bit” R e and the 
query bit Acc. During a “simulation” the current state p of Ad corresponds to a program 
state in which exactly the auxiliary bit R p is true (and Acc if p £ F). As soon as the input 
sequence contains an operation that does not correspond to an applicable transition of Ad 
(either because no transition exists or because it can not be applied due to a counter value), 
the error bit R e is switched on and remains on forever. 

The update formulas of V are as follows. 

^ins cS u ) == ~ , Ci(u) A ~^R e A \/ R p 

(p,inc(ci),g)GA 

*2Sc» = ^VC s (u)V V R p 

p&X 

0ms C Ci( u ) == _, Ci( u ) A A \J Rp 

(p,mc(ci),g)EA 

with q e F 


Here, A' is the set of states p from Ad for which no transition (p,inc(ci), q) exists in A. 
Deletions are handled similarly: 

&c»= a(«)A^R e A \/ R p 

(p,dec(ci),q r )G A 

< E = LC >) d A f iJ e V-Q( W )V \/ R p 

pGY 

</4Tc, («) = Ci (u) A ~iR e A V Rp 

(p,dec(ci) ,q)£ A 
with q e F 
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Here, Y is the set of states p from M. for which no transition (jp, dec(cj), q) exists in A. 
Modifications to Z t are handled as follows: 

^INS z 4 0 = -axCi (x) A -iR e A V R p 

(p,if zero ( c * ) ,q) € A 

<fc() = ReV3xCi(x)V V Rp 

p£Z 

0 = -3 xCi (x) A ~>R e A V Rp 

(p,if zero ( c i) ,q) G A 
with q e F 


Here, Z is the set of states p from M. for which no transition (p, ifzero(c,), q) exists in A. 
Deletions of input bits are handled exactly like insertions. 

Now we prove that A4 has an accepting run if and only if there is a modification sequence 
accepted by V. 

(only-if) Let p be an accepting run of A4 and let m be the maximum value that a counter 
of M. assumes in p. It is not hard to prove by induction that there is a modification sequence 
on every domain with at least m elements that corresponds to p in the sense described above. 

(if) For the other direction assume that a = <5i • • • S n is a modification sequence over 
domain D that is accepted by V. Let Sq be the initial state of V for D and let Si for 
i € {1,... ,n} be the state reached by V after application of <5i • • • Si. Then, by definition of 
the update formulas of V and because S n is accepting, the bit Rf* is not true for any Si and 
no element is inserted into Ci when it was already contained in Cj, likewise elements are 
not deleted from Ci when they are not contained. The corresponding accepting run of A4 is 
defined by the sequence (go> $ 0 : Qi) ■ ■ ■ (Qn-i,S n -i,q n ) of transitions where qi is the unique 
state q for which R~* is true. Further the value for 9i is inc(cj) if inserts an element 

into Cj , dec(cj) if 8 i+i deletes an element from Cj and ifzero(cj) if modifies Z :) . 

(b) We note that in the proof of part (a) quantification is only needed for testing whether 
the input relations representing the counters are empty. 


A DYNPROP(l-in, 2-aux)-program can simulate this check with two lists as in Example 3.4 


for the relations C\ and C 2 - When an insertion iNSc ; ( d ) occurs, corresponding to an operation 
(p, inc(cj), q) in M, the element d is appended to the end of the list for C,. Analogously, for 


a deletion del^. (d) the element d is removed from the list for Ci. As shown in Example 3.4 
the dynamic program maintains auxiliary bits Bi , B 2 such that Bi is true if and only if Ci is 
not empty. These bits can then be used by the update formulas instead of the quantification. 
The rest of the proof is then analogous to the proof of (a). 

(c) In this reduction the counters of the CA are represented by lists, as in (b), but the 
lists are encoded with (at most) binary input relations. Consequently, transitions of A4 
correspond to (bounded length) sequences of modifications for a dynamic program. 

For each counter Ci the program V use one binary input relation LiSTj, one unary input 
relation In,; that contains all element used in the list, three unary input relations MlNj, 
Last, , NextLast, to mark special elements, several auxiliary bits to monitor if all these 
input relations are used as intended and a bit NONEMPTY.^ which states whether List^ is 
currently empty. 

We now describe how to construct a modification sequence a = a(p) from a run p of a 
given 2CA M, that is accepted by V if and only if p is accepting. 

Before the actual simulation of M can start, a has to initialize the input relations apart 
from List,. To this end, V expects as the first three modifications the insertion of one 
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element into Min^Last; and In^. This element will serve as the head of the list. 

A transition of M. that increments counter Ci is translated into a series of modifications 
that altogether insert a new element a into In^ as follows. First, a is inserted into NextLast^ 
and thus marked as to be inserted to the end of the list. Next the tuple ( b , a) is inserted into 
LiSTj, where b is the unique element with b £ Last,. The list is surely not empty after the 
insertion of a , so NONEMPTY^ is set to true. After that, b is removed from Last, and a is 
inserted into lN,LASTi and removed from NextLasTj. If the modification sequence does 
not follow this protocol, V assumes a rejecting state forever. Because every relation from 
Min*, Last,, NextLasTj contains at most one element at every time, V can indeed check 
whether all these modifications occur in the right order and on the right elements. 

Similarly, a transition of Ai decrementing c, is translated into a series of modifications 
that altogether remove the unique element a £ Last^ from the corresponding list as follows. 
Let (b, a) be the tuple in List,; that contains a. The first modification has to be the insertion 
of b into NextLast^, after that (b, a) is deleted from LiSTj. If b £ Min* then the list is now 
empty and NONEMPTY^ is set to false, a has to be removed from In and Last, b has to be 
inserted into Last and removed from NextLast. 

It is straightforward but cumbersome to give the update formulas, so they are omitted 
here. 

Otherwise, that is, besides the actual translation of a single step of M, the proof is 
analogous to the proof of (a). 


◄ 

The next result shows that emptiness of DYNPROP(l-in, l-aux)-programs is decidable, 
yielding a clean boundary between decidable and undecidable fragments. 

► Theorem 4.3. Emptiness is decidable for DYNPROP(l-in,l-aux)-programs. 

Proof. The proof uses the following two simple observations about DYNPROP(l-in, 1-aux)- 
programs V. 

_ The initialization formulas of V assign the same r aux -color to all elements. This color 
and the initial auxiliary bits only depend on the size of the domain. Furthermore there 
is a number n(V), depending solely on the initialization formulas, such that the initial 
auxiliary bits and r aux -colors are the same for all empty databases with at least n(V) 
elements. This observation actually also holds for DYNFO(l-in, l-aux)-programs. 
m When V reacts to a modification S = (o, a), the new (r-)color of an element b ^ a only 
depends on o, the old color of 6 , the old color of a , and the 0-ary relations. In particular, 
if two elements b-[. 62 (different from a) have the same color before the update, they both 
have the same new color after the update. Thus, the overall update basically consists 
of assigning new colors to each color (for all elements except a), and the appropriate 
handling of the element a and the 0 -ary relations. 

We will show below that the behavior of DYNPROP(l-in, l-aux)-programs can be simulated 
by an automaton model with a decidable emptiness problem, which we introduce next. 

A multicounter automaton (short: MCA) is a counter automaton which is not allowed to 
test whether a counter is zero, i.e. the transition relation A is a subset of Q x {inc(c),dec(c) | 
c £ C} x Q. A transfer multicounter automaton (short: TMCA) is a multicounter counter 
automaton which has, in addition to the increment and the decrement operation, an operation 
that simultaneously transfers the content of each counter to another counter. More precisely 
the transition relation A is a subset of Q x ({inc(c), dec(c) | c £ C} U {t \ t : C —> C}) x Q. 
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Applying a transition (p, t, q) to a configuration (p, n ) yields a configuration (q, n') with 
n' c = '}2t(d)=c n d f° r every c £ C. A configuration (q,n) of a TCMA is accepting , if q £ F. 
The emptiness problem for TCMA^Jis decidable by reduction to the coverability problem 
for transfer petri net^] which is known to be decidable [5]. 

Let V be a DYNPROP-program over unary schema r = Ti n U T aux with query symbol Rq 
which may be 0-ary or unary. Let r 0 be the set of all 0-ary (atomic) types over r and let Ti 
be the set of r-colors. We construct a transfer multicounter automaton M. with counter set 
Zi = {z 1 \^ £T 1 }. The state set Q of M contains T 0 , the only accepting state / and some 
further “intermediate” states to be specified below. 

The intuition is that whenever V can reach a state S then A4 can reach a configuration 
c = ( p , n ) such that p reflects the 0-ary relations in S and, for every 7 £ Ti, n 7 is the number 
of elements of color 7 in S. 

The automaton M works in two phases. First, A4 guesses the size n of the domain of 
the initial database. To this end, it increments the counter z 1 to n, where 7 is the color 
assigned to all elements by the initialization formula for domains of size n, and it assumes 
the state corresponding to the initial 0-ary relations for a database of size n. Here the first 
of the above observations is used. Then A4 simulates an actual computation of V from the 
initial database of size n as follows. Every modification iNSg(a) (or DELg(a), respectively) in 
V is simulated by a sequence of three transitions in M: 

_ First, the counter z 7 , where 7 is the color of a before the modification, is decremented. 
h Second, the counters for all colors are adapted according to the update formulas of V. 
h Third, the counter zy, where 7 ' is the color of a after the modification, is incremented. 

If a modification changes an input bit, the first and third step are omitted. The state of 
A4 is changed to reflect the changes of the 0-ary relations of V. For this second phase the 
second of the above observations is used. 

To detect when the simulation of V reaches a state with non-empty query relation Rq, 
states p £ To may have a transition to the accepting state /. 

Now we describe A4 in detail. We begin with the simulation of the initialization step. 
If the quantifier depth of V is q then A4 non-deterministically guesses whether the domain 
is of size 1,..., q or at least q + 1. To this end the automaton has < 7+1 additional states 
Pi,... ,p q +i, and non-deterministically chooses one such state pi. Recall that the initial 
faux-colors as well as the auxiliary bits depend only on the size of the domain, and that they 
are the same for all domains of size > q + 1. Let 70 be the 0-ary type and 71 be the color 
assigned to domains of size i. Now, A4 increments the counter z 7l to i (or to at least i if 
i = q + 1) using some further intermediate states. Afterwards A4 assumes state 70 - 

Next we explain how a computation of V is simulated. We first deal with modifications 
to unary input relations. As the effects of an update depend on the operation that is 
applied to an element, the color of that element and the 0-ary relations, A4 has one chain 
of transitions for every such combination. So, for every state p £ To, every color 7 £ Ti 
and every o £ {iNSs,DELs} with S £ r in and Ar(S') = 1 there are states 9p i7i0 and <7p j7j0 
which are in charge of the simulation of an update when the modification S = (o, a) occurs 
in a situation with 0-ary type p to an element a of color 7 . A transition from p to q^ 0 
decreases the counter z 1 , a transition from q^ >1 0 increases the counter for the new color of 


10 We note that (the complement of) this emptiness problem is often called control-state reachability 
problem. 

11 The simulation of states by counters can be done as in HS1 Lemma 2.1] 
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the modified element and assumes the state p' corresponding to the new 0-ary type. These 
two transitions simulate the changes of the auxiliary relations regarding the modified element. 
A transition from <jd to handles the changes to the elements not (directly) affected 
by (5. As explained above, for given p , o and 7 , the new color of an element depends only on 
its old color. From the update formulas of V we extract a function g pn , 0 : Ti —> Ti which 
describes these changes. From g we build the function t : Z\ —>■ Z\ that describes the transfer 
as tfzy) = Zg pyo ( rf >). 

Similarly, modifications to input bits are simulated. Let o £ {iNSg, DEL 5 } with S £ T ln 
and Ar(S') = 0 be an operation to a 0-ary input relation. For states p,p' £ To there is a 
transition ( p,t,p') if i(z 7 /) = z Qp o ( 7 /) with g Pl7 , 0 : Ti —> Ti as above and p' corresponds to 
the 0 -ary type after the update. 

At last, transitions from p £ To to / are introduced. The kind of these transitions depends 
on the arity of Rq . If Rq is 0-ary and Rq £ p, then there is a transfer transition (p, id , /) 
where id is the identity. If Rq is unary there is a transition (p,dec( 7 ),/) for every color 
7 £ Ti with Rq £ 7 . 

It is not hard to show that there is a modification sequence for V that leads to a non-empty 
query relation, if and only if there is a run of A4 that reaches /. ◄ 

4.2 Emptiness of consistent dynamic programs 

Some readers of the proof of Theorem |4.2| might have got the impression that we were 
cheating a bit, since the dynamic programs it constructs do not behave as one would expect: 
in all three cases each modification sequence a that yields a non-empty query relation Rq 
can be changed, e.g., by switching two operations, into a sequence that does not correspond 
to a run of the CA and therefore does not yield a non-empty query relation. That is, the 
program V is inconsistent because it might yield different results when the same database is 
reached through two different modification sequences. 

It seems, that this inconsistency made the proof of Theorem |4.2| much easier. Therefore, 
the question arises, whether the emptiness problem becomes easier if it can be taken for 
granted that the given dynamic program is actually consistent. We study this question in 
this subsection and will investigate the related decision problem whether a given dynamic 
program is consistent in the next section. 

As Table [l] shows, the emptiness problem for consistent dynamic programs is indeed easier 
in the sense that it is decidable for a considerably larger class of dynamic programs. While 
emptiness for general DynFO programs is already undecidable for the tiny fragment with 
unary input relations and 0-ary auxiliary relations, it is decidable for consistent DynFO 
programs with unary input and unary auxiliary relations. Likewise, for DynProp there is a 
significant gap: for consistent programs it is decidable for arbitrary input arities (with unary 
auxiliary relations) or arbitrary auxiliary arities (with unary input relations), but for general 
programs emptiness becomes undecidable as soon as binary relations are available (in the 
input or in the auxiliary database). 

We call a dynamic program V consistent, if it maintains a query with respect to an empty 
initial database, that is, if, for all modification sequences a to an empty initial database 
the query relation in V a (D )) depends only on the database a(2?g). In the remainder of this 
subsection we show the undecidability and decidability results stated in Table [T] 

► Theorem 4.4. The emptiness problem is undecidable for 

(a) consistent DYNFO(2-m, 0-aux)-programs, and 

(b) consistent F)YNFO(l-in,2-aux)-programs. 
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Proof. Statement (a) is a corollary of the proof of Theorem 4.1 as the reduction in that 
proof always yields a consistent program. 

For (b), we present another reduction from the emptiness problem for semi-deterministic 
2CAs (see also the proof of Theorem 4.21. From a semi-deterministic 2CA A4 we will 
construct a consistent Boolean dynamic program V with a single unary input relation U. 
The query maintained by V is “A4 halts after at most \U\ steps”. Clearly, such a program 
has a non-empty query result for some database and some modification sequence if and only 
if M. has an accepting run. 

The general idea is that V simulates one step of the run of M whenever a new element is 
inserted to U . A slight complication arises from deletions from U, since it is not clear how 
one could simulate A4 one step “backwards”. Therefore, when an element is deleted from U, 

V freezes the simulation and stores the size to of \U\ before the deletion. It continues the 
simulation as soon as the current size £ of U grows larger than to, for the first time. 

To help storing m and £ (and the values of the counters, for that matter), V uses an 
auxiliary binary relation R < which, at any time, is a linear order on the set of those elements, 
that have been inserted to U at some point. Whenever an element is inserted to U for 
the first time, it becomes the maximum element of the linear order in R < . Deletions and 
reinsertions do not affect R < . 

To actually store £ and m, V uses two unary relations 17 curren t and L/ max . At any time, 
U current contains the £ smallest elements with respect to f?<, where £ is the size of U at 
the time. Similarly, t/ max contains the m smallest elements, with to as described above. In 
particular, I/ CU rrent is empty if and only if £ = 0. In the same fashion, V uses two further 
unary auxiliary relations C\ and C2 representing the counters. 

If M reaches an accepting state, V stores the current size k of U at this moment, with 
the help of another unary relation C/ acc , that is, it simply lets C/ acc become a copy of t/ curre nt 
after the current insertion. From that point on, that is, if f/ acc is non-empty, the query bit of 

V is true whenever £ > k. Besides the one binary and five unary relations, V has one 0-ary 
relation Q p , for every state p of M. 

As an illustration we give two update formulas of V that maintain C\ and and Q q , for 
some state q , under insertions to U, respectively. 


u( U ’ x ) = ((U(u)V (U current U max )\/ \J Q p ) A Ci{x))\/ 

(p,inc(c 2 ),<?)£ A 
(p,dec(c2),g)G A 
(p,ifzero(c 2 ),<?)£ A 

1 £^(^0 A (^current = ^max)^ 

( V (Qp A \/y(Ci(y) V x < y)) 

(p,inc(ci),(j)eA 

V V (Qp A Ci(x) A 3y(Ci(y) A x < y)))^j 

(p,dec(ci ),<?)£ A 

Ans u( U ) = (( U ( U ) V (^current / U maX )) A Q q ) V (u) A (/7 CU rrent = U max )A 

( V ^ 

(p,inc{cj),q)£A 
3 S{1,2> 

V (Qp A 3xCj(x)) 

(p,dec(cj),ij)6 A 


V 
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V \/ (Q P /\ ^xCj(x)))^J 

(p,iizero(cj ),g)E A 

je{ 1 , 2 } 

Here, U cu rre nt = C^max abbreviates the formula \/y (U CUIlent (y) U max (y)). We note that 
</> IN g y does not test the applicability of transitions directly, but ipff v does. 

We recall that, thanks to semi-determinism of M., the next transition is always uniquely 
determined by the state of A4 and the value of the affected counter. If no transition can be 
applied, the simulation does not set any bit Qi to true and the simulation basically stops. ◄ 

Contrary to the case of not necessarily consistent programs, the emptiness problem is 
decidable for consistent DYNFO(l-in, l-aux)-programs. We will use the fact that the truth 
of first-order formulas with quantifier depth k in a state of a DYNFO(l-in, 1-aux)-program 
only depends on the number of elements of every color up to k. 

Intuitively the states of a consistent DYNFO(l-in, l-aux)-program can be approximated 
by a finite amount of information, namely the number of elements of every color up to some 
constant. This can be used to construct, from a consistent DYNFO(l-in, l-aux)-program V, 
a nondeterministic finite automaton A that reads encoded modification sequences for V in 
normal form and approximates the state of V in its own state. In this way the emptiness 
problem for consistent DYNFO(l-in, l-aux)-programs reduces to the emptiness problem for 
nondeterministic finite automata. 

To formalize this, for a DYNFO(l-in, l-aux)-program V let Ci,..., Cm be the colors over 
the schema of V. The characteristic vector n(S) = (n\, ..., hm) for a state S over the 
schema of V stores for every color Ci the number rq € N of elements of color Ci in S. We 
also denote this number as rq(iS). We write n ~ k m, for numbers k, n, m, if n = m or both 
n > k and m > k. We write (n \,..., um) — k (n'i, ■ ■ •, «V)' if f° r every i < M, ce k n', 
and S S' for two states S and S’ if n(S) ~ k n(S') and the bits in S and S' are equally 
valuated. 

► Lemma 4.5. Let V be a DynFO(1-ot, 1-aux)-program with quantifier depth q and let S 
and S' be two states for V. 

(a) S S' if and only if S = k S' for any k £ N. 

(b) Let a and a' be elements from S and S' with the same color Ci and let k = q + 1. If 
S S' and no(S) ~fc+i no(S') then Vs( a )(S) —fc 'Ps(a , )(S') f or every modification 6. 

We recall that S = k S' means that the two states satisfy exactly the same first-order 
formulas of quantifier depth (up to) k. 

Proof, (a) It is easy to express with a first-order formula of quantifier depth k that the 
number of elements of a color c is exactly k' for k' < k or at least k. So the only if direction 
follows. If S S' holds, then Duplicator has a straightforward winning strategy in the 
fc-rounds Ehrenfeucht-Frai'sse game, so S = k S' follows. 

(b) With part (a), (S, a) = k (S', a'). Since k = q + 1, if elements b and b' from S and S' 
have the same color and b = a if and only if b' = a', they also have the same color in Vg( a )(S) 
and Vs( a ')(‘S')- The claim of the lemma follows. 

◄ 

With the help of the previous lemma, we can now show the following decidability result. 

► Theorem 4.6. Emptiness is decidable for consistent DYNFO(l-in,l-aux)-programs. 
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Proof. We reduce the emptiness problem for consistent DYNFO(l-in, l-aux)-programs to the 
emptiness problem for nondeterministic finite automata. The intuition is as follows. From a 
consistent DYNFO(l-in, l-aux)-program V , we construct a nondeterministic finite automaton 
A that reads encoded modification sequences for V in normal form and approximates the 
state of V in its own state. To this end A has a state qs for every equivalence class £ of 
for a well-chosen k € N. The automaton accepts if it reaches a state qs where £ corresponds 
to states of V with non-empty query relation. 

We make this more precise now. The following facts are exploited in the proof: 

h As V is consistent, if there is a modification sequence that leads to a state with a non¬ 
empty query relation, then there is an insertion sequence in normal form that leads to 
such a state. 

h If two elements a, a' have the same color in some state of the program, then they still 
have the same color after an element b ^ a, a' has been modified. 

h For knowing how a state S is updated by V, it is enough to consider the equivalence 
class of S for a suitable k. 


In an insertion sequence in normal form, an element is touched by at most £ insertions 
where £ is the number of unary relation symbols in Tj n . As the insertions involving a single 
element occur consecutively in such a sequence, the occurring updates can be specified by 
“extended” update formulas of quantified depth £q, by nesting the original update formulas of 
quantifier depth q. For k = £q+ 1, states S and S' with S S' then meet the requirements 
of Lemma 4.5 (b) when those extended update formulas are considered. 

The alphabet E of A is the set of proper r in -colors co). For every equivalence class £ of 
~jt, for k as chosen above, the automaton A has a state qs. The idea is that the automaton 
simulates V by approximating the state of V by its ^-equivalence class. More precisely, 
whenever A is in state qs after reading a word w over E then £ is the equivalence class of 
the state S reached by V after the modification sequence a corresponding to w. 

There is a small caveat to this. The state reached by V after application of a is not solely 
determined by a but also by the size of the domain. The automaton has to take this into 
account. 

We now describe the behaviour A in detail. At the beginning of a computation the 
automaton non-deterministically guesses the (approximate) size of the domain, that is, a 
number i from { 1 ,..., k} and assumes state qs where £ is the equivalence class of that 
corresponds to an initial state of V with i elements if i < k and at least i elements otherwise. 
Note that if i = k then the automaton does not know the exact size of the domain for which 
it is simulating V. Yet, as long as there are at least k r in -uncolored elements, the exact 
number is not important. 

Afterwards A simulates V. When in state qs and reading a symbol c, the automaton 
assumes state qs> where £' is as follows: 


n If £ indicates less than k Ti n -uncolored elements then £' is the ^/--equivalence class of 
any state S' reached by V from a state S with ^-equivalence class £. 
m If £ indicates at least k Ti n -uncolored elements, then A guesses whether this is still the 
case after coloring one further element. If yes, then £' is the ^/.-equivalence class of 
any state S' reached by V from a state S with ^/.-equivalence class £ and at least k + 1 
Ti n -uncolored elements. Otherwise £' is the ^-equivalence class of any state S' reached 
by V from a state S with ^-equivalence class £ and at least k r in -uncolored elements. 

That £' is uniquely determined follows from the second and third fact from above. 

◄ 
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The picture of decidability of emptiness for consistent programs for all classes of the form 
DYNFO(£-in, m-aux) is pretty clear and simple: it is decidable if and only if i = 1 and m < 1. 
Now we turn our focus to the corresponding classes of consistent DYNPROP-programs. Here 
we do not have a full picture. We show in the following that it is decidable if t = 1 or m < 1. 

► Theorem 4.7. The emptiness problem is decidable for 


(a) consistent T)YnPKOP(l-in)-programs. 

(b) consistent DynProp(1 -aux)-programs. 


Proof (of Theorem 4.7 (a)). In ]T2J Theorem 3.2] it is shown that over databases with a 
linear order and unary relations every DYNPROP(l-in)-program V with a Boolean query 
relation maintains a regular language over the Tj n -colors of the Ti n -colored elements. This 
result holds for arbitrary initialization and its proof shows that an automaton for this 
regular language can be effectively constructed from the dynamic program. Therefore, to 
test emptiness of a program with a Boolean query relation it suffices to test emptiness of its 
automaton. 

Suppose that V has a query relation with arity k > 0 and that there is a modification 
sequence a that yields a state S where the query relation contains a tuple a = (a ±,..., a*,). 
Without loss of generality we assume that a is an insertion sequence in normal form and 
that elements of a are modified at last (if they are modified at all). In other words, a is of 
the form a± ... olm where each a,; modifies exactly one element, and there is an N such that 
cXj with j > N only modifies elements of a. 

We use a pumping argument to argue that if a is a shortest such sequence, then it is not 
very long. Then emptiness of V can be tested by examining all such modification sequences. 
We use the following observations from [121 , Theorem 3.2]: 


(a) After each update, all tuples of positions that have not been touched so far have the same 
(atomic) type. 

(b) There is only a bounded number (depending only on the number and the maximal arity 
of the auxiliary relations of V) of different types of such tuples. 

Let Si be the state reached by applying op ... at. If TV is larger than the number of (atomic) 
fc-ary types then, by the observations (a) and (b), there are j, j' with j < j' such that all 
l-tuples whose elements have not been touched so far have the same type in Sj and Sj>. In 
particular a has the same type in Sj and Sj>. Hence, since V is quantifier-free, it also has the 
same type in S (the state reached by applying a) and in the state reached by applying the 
modification sequence a\ ... ajOtp+i ... cxncxn+ i • ■ ■ ckm- Thus the query relation contains a 
in the latter state. ◄ 


Before we prove the general statement of Theorem 4.7 (b), we first sketch the basic proof 
idea for consistent DYNPROP(l-aux)-programs over graphs, i.e., the input schema contains a 
single binary relation symbol E. For simplicity we also assume a 0-ary query relation. The 
general statement requires more machinery and is proved below. 

Our goal is to show that if such a program V accepts some graph then it also accepts 
one with “few” edges, where “few” only depends on the schema of the program. To this end 
we show that if a graph G accepted by V contains many edges then one can find a large 
“well-behaved” edge set in G from which edges can be removed without changing the result 
of V. Emptiness can then be tested in a brute-force manner by trying out insertion sequences 
for all graphs with few edges (over a canonical domain {!,..., ?x}). 
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More concretely, we consider an edge set “well-behaved”, if it consists only of self-loops, 
it is a set of disjoint non-self-loop-edges, or is is a star , that is, the edges share the same 
source node or the same target node. From the Sunflower Lemma m it follows that for 
every p £ N there is an N p G N such that every (directed) graph with N p edges contains p 
self-loops, or p disjoint edges, or a star with p edges. 

Let us now assume, towards a contradiction, that the minimal graph accepted by V has 
N edges with N > Nm 2 + i, where M is the number of binary (atomic) types over the schema 
r = Ti n U r aux of V. Then G either contains M 2 + 1 self-loops, or M 2 + 1 disjoint edges, or a 
(M 2 + l)-star. 

Let us assume first that G has a set D C E of M 2 + 1 disjoint edges. We consider the 
state S reached by V after inserting all edges from E\D into the initially empty graph. 
Since D contains M 2 + 1 edges, there is a subset D' C D of size M + 1 such that all edges in 
D' have the same atomic type in state S. Let So be the state reached by V after inserting all 
edges in D \ D' in S. All edges in D' still have the same type in So since V is a quantifier-free 
program (though this type can differ from the type in S). Let ei,..., eM+i be the edges 
in D' and denote by Si the state reached by V after inserting ei,..., e* in So- For each i, 
all edges ej+i,..., e«+i have the same type 7 * in state S t , again. As the number of binary 
atomic types is M, there are i < j such that 7 * = 7 j, thus eM+i has the same type in Si 
and Sj. Therefore, inserting the edges ej+i,..., eM+i in Si yields a state with the same 
query bit as inserting those edges in Sj. As the query bit in the latter case is accepting, it 
is also accepting in the former case, yet in that case the underlying graph has fewer edges 
than G, the desired contradiction. The case where G contains M 2 + 1 self-loops is completely 
analogous. 

Now assume that G contains a star with M 2 + 1 edges. The argument is very similar to 
the argument for disjoint edges. First insert all edges not involved in the star into an initially 
empty graph. Then there is a set D of many star edges of the same type, and they still have 
the same type after inserting the other edges of the star. A graph with fewer edges that is 
accepted by V can then be obtained as above. 

The idea generalizes to input schemata with larger arity by applying the Sunflower Lemma 
in order to obtain a “well-behaved” sub-relation within an input relation that contains many 
tuples. In order to prove this generalization we first recall the Sunflower Lemma, and observe 
that it has an analogon for tuples. 

The Sunflower Lemma was introduced in D3. here we follow the presentation in m- a 
sunflower with p petals and a core Y is a collection of p sets S \,..., S p such that Si D Sj = Y 
for all i 7 ^ j. 

► Lemma 4.8 (Sunflower Lemma, (lTj). Let p £ N and let J 7 be a family of sets each of 
cardinality £. If T consists of more than Ng tP = £!(p — l) e sets then T contains a sunflower 
with p petals. 

We call a set H of tuples of some arity £ a sunflower (of tuples) if it has the following 
three properties. 

(i) All tuples in H have the same equality type. 

(ii) There is a set J C {1,..., £} such that tj = t'- for every j G ./ and all tuples t, t' £ H. 

(iii) For all tuples t^t' in H the sets {U\i J} and {t\\i qL J} are disjoint. 

We say that H has \H\ petals. 

The following Sunflower Lemma for tuples has been stated in various variants in the 
literature, e.g., in mm- 
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► Lemma 4.9 (Sunflower Lemma for tuples). Let (,p £ N and let R be a set of (.-tuples. If R 
contains more than Ne tP = ( e p e (£!) 2 tuples then it contains a sunflower with p petals. 

Proof. Let R be an £-ary relation that contains N^ p tuples. As there are less than l f equality 
types of ^-tuples there is a set R! C R of size at least p e ((\) 2 , in which all tuples have the 
same equality type. Application of Lemma 2 in [17] yields^ a sunflower with p petals. ◄ 

It is instructive to see how Lemma |4.9| shows that a graph with sufficiently many edges has 
many selfloops, disjoint edges or a large star: Selfloops correspond to the equality type of 
tuples (fi, tf) with 1 1 = t 2 , many disjoint edges to the case J = 0 and the two possible kinds 
of stars to J = {1} and J = {2}, respectively. 


Proof (of Theorem 4.7 (b)). Now the proof for binary input schemas easily translates to 
general input schemas. For the sake of completeness we give a full proof. 

Suppose that a consistent DYNPROP(l-aux)-program V over schema r with 0-ar}p^| query 
relation accepts an input database T> that contains at least one relation R with many tuples. 

Suppose that R is of arity ( and contains Ne m 2 +i diverse tuples where M is the number 
of f?-ary (atomic) types over the schema of V. We show that V already accepts a database 
with less tuples than V. 

By Lemma 4.9 R contains a sunflower R' of size M 2 +1. Consider the state S reached by 
V after inserting all tuples from R\R' into the initially empty database. Since R' contains 
M 2 + 1 tuples, there is a subset R" C R' of size M + 1 such that all tuples in R" have the 
same atomic type in state S. Let So be the state reached by V after inserting all tuples in 
R' \ R" in S. All tuples in R" still have the same type in So since V is a quantifier-free 
program (though this type can differ from the type in S). 

Let ax,... ,a M +i be the tuples in R" and denote by S; the state reached by V after 
inserting a \,..., oq in So- In state S, all tuples a 1+ i,..., om+i have the same type, again. 
As the number of Cary atomic types is k, there are i < j such that Om+\ has the same 
type in S, and Sj. Therefore, inserting the edges ej + i ,..., eM+i in S,; yields a state with 
the same query bit as inserting this sequence in Sj. As the query bit in the latter case is 
accepting, it is also accepting in the former case, yet in that case the underlying database 
has fewer tuples than V , the desired contradiction. 

If V has a unary query relation, then the proof has to be adapted as follows. For an 
accepted database T>, the unary query relation contains some element a. Now M is chosen 
as the number of {( + l)-ary atomic types (instead of the number of <?-ary atomic types), and 
R" is chosen as sub-sunflower where all tuples (ai, a),..., (om+i, a) have the same atomic 
type. The rest of the proof is analogous. ◄ 


The final result of this subsection gives a characterization of the class of queries maintain¬ 
able by consistent DYNPROP(0-aux)-programs. This characterization is not needed to obtain 


decidability of the emptiness problem for such queries, since this is included in Theorem 4.7 
However, we consider it interesting in its own right. 

As DYNPROP(0-aux)-programs can only store a constant amount of information, it 
is not surprising that they can only maintain very simple properties. In fact, they can 
maintain exactly all modulo-like queries (to be defined precisely below). This characterization 
immediately yields an alternative emptiness test for consistent DYNPROP(0-aux)-programs. 


12 In [I7j, elements from the “outer part” of a petal can also occur in the “core”. As in R! all tuples have 
the same equality type, this can not happen in our setting. 

13 At the end of the proof we discuss how to deal with unary query relations. 
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Furthermore it partially answers a question by Dong and Su [5]. They asked whether all 
queries maintainable by DYNFO(0-aux)-programs can already be maintained by history- 
independent DYNFO(0-aux)-programs. The characterization shows that this is the case 
for DYNPROP-programs, since all modulo-like queries can easily be maintained by history- 
independent DYNPROP(0-aux)-programs. 

We first fix some notation. For a tuple a = (ai,... ,au) we write dom(a) for the set 
{ai,..., a/c}. The cardinality of a is the size of dom(a). The strict underlying tuple st(a) 
is the tuple obtained from a by removing all duplicate occurrences of data values (in a 
left-to-right fashion). A tuple a is duplicate-free if st(a) = a. 

A strict atomic k-atom is a relation atom R(y i,..., y r ) for which {yi ,..., y r } = {aq,..., oq} 
with Xi 7 ^ Xj for i ^ j. A strict atomic k-type 7 ( 21 ,..., Xk) is a set of strict atomic fc-atoms. 
Let, for a tuple a = (ai,..., a*,), l be the valuation that maps, for each j £ {1,..., k}, Xj to 
a,j. Then the strict atomic type 7 of tuple a = (ai,..., Ofc) in S is the set of strict atomic 
fc-atoms R(yi ,..., y r ) in 7 , for which i(R(y 1 ,..., y r )) yields a fact in S. We write fc-type(a) 
for the strict atomic type of a fc-tuple a. 

However, the expressive power of consistent DYNPROP(0-aux)-programs can be most 
easily characterized in terms of types of sets of elements, rather than types of tuples. 

The set type type(A) of a set A = { 07 ,... , 0 *,} of size k in a structure S is the set 
(fc-type( 7 r(a)) | n £ S fc }. Here, denotes the set of permutations on {1,..., k} and 7 r(a) 
denotes the tuple (a^qp ■ ■ ■ , a,p fc )). We note that type(A) does not depend on the chosen 
enumeration of A and is therefore well-defined. It directly follows from this definition that 
the set types of two sets with k elements are either equal or disjoint (as sets of strict atomic 
fc-types). In other words, the strict atomic type of a set is determined by the strict atomic 
fc-type of each duplicate-free tuple that can be constructed from elements of the set. 

For a structure S and a set type 7 , we denote by # 5 ( 7 ) the number of sets of set type 7 
in S. 

A simple modulo expression is an expression of the form 7 ^( 7 ) = p q , where p > 2 and 
q < p are natural numbers and 7 is a non-empty set type. A structure S satisfies such an 
expression if 7 ) =p <7i that is, if the number of sets of type 7 in S has remainder q when 
divided by p. A m.odulo expression is a Boolean combination of simple modulo expressions. A 
modulo query is a query that can be defined as the set of all (finite) models of some modulo 
expression. 

In the proof of the following theorem, we will consider modification sequences of a 
particular form that extends the normal form for insertion sequences over unary input 
schemas introduced in Section [3] A general insertion sequence a is in normal form if it fulfills 
the following three conditions. 

(Ml) If a inserts tuples of cardinality k over a set A of k elements, then all such tuples 
are inserted in a contiguous subsequence a a of a. Furthermore if and ola' are the 
contiguous sequences for sets A and A! with |A| > |A'| then a a occurs before a.A' in a. 

(M2) For all sets A, B with the same set type in I, the subsequences a a and as are isomorphic, 
that is, for some bijection 7 r : A —> B, ^( 0 : 7 ) = cub- 

► Theorem 4.10. A Boolean query Q can be maintained by a consistent DYNPROP(0-aw:r) 
program if and only if it is a modulo query. 

Proof, (if) The set of Boolean queries that can be expressed by consistent DYNPROP(O-aux) 
programs is closed under all Boolean operators. It therefore suffices to show that each 
query defined by a simple modulo expression #( 7 ) = p q can be maintained by a consistent 
DYNPROP(O-aux) program V. 
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The insertion of a tuple b into some relation R changes the set type of exactly one 
set, { 61 ,..., b r } = dom( 6 ). It is straightforward but tedious to construct a quantifier-free 
formula ..., y r ) that expresses that the new type of the set {&i,..., b r } after inserting 

b to R is 7 . Likewise, for the old set type of { 61 ,..., b r }. For deletions the situation is very 
similar. A DYNPROP(O-aux) program can therefore use p auxiliary bits to maintain the 
number of occurrences of set type 7 in S modulo p. 

(only-if) Let V be a consistent DYNPROP(0-aux)-program. As V is consistent it yields, 
for each input database X, the same query answer, for each modification sequence that results 
in I. In this proof we therefore only consider insertion sequences in normal form. 

Condition (M2) ensures that when a tuple b is inserted to a relation R , there are no 
tuples present that involve a strict subset of dom(6). As, on the other hand, due to the lack 
of quantifiers, the update formulas for the auxiliary bits can not take any tuples into account 
that contain elements outside of dom(6), the auxiliary bits of V after an insertion operation 
iNSi?(&) of a only depend on the current auxiliary bits of V and the strict atomic fc-type of 
st(6). Similarly, by Condition (M3) it follows that the auxiliary bits after a modification 
subsequence oa only depend on the current auxiliary bits of V and the set type of A. The 
behavior of V under a insertion sequence in normal form is therefore basically the behavior 
of a finite automaton (with the possible values of the auxiliary bits as states) reading a 
sequence of set types p*l 

Let m be the number of (0-ary) auxiliary bits of V and let M = (2 m )!. 

We next show that, for each non-empty set type 7 and each two input databases X and X' 
that have for each non-empty set type different from 7 the same number of sets and whose 
number of sets of type 7 differs by M, either both X and X' are accepted by V, or both are 
rejected. As there are only finitely many types and finitely many classes modulo M, this 
yields that the query decided by V is a modulo query. 

Let S = (D,X, A) be some state reached after an insertion sequence a in normal form, 
let 7 be some non-empty set type and let s be the number of occurrences of 7 in X. Let 
a' be the extension of a by M + 2 m further sets of type 7 yielding S' = (D,X',A'). Let 
A±,...,A S denote the sets of type 7 in X and let A s > denote the sets of type 7 in 

X'. Let a! be decomposed into a\UA 1 • • • As there are only 2 m different possible 

values that the auxiliary bits can assume, there are i < j, j < 2 m , such that o.\ola 1 • • • a^, 
and (X\aA x • • • a a, yield states with identical auxiliary bits J^] As each set An has the same 
set type, it follows that aiaA 1 • • • &A i+cd yields the same auxiliary bits as aqaAi • ■ • a a i: for 
d = j — i and every c with i + cd < s + M + 2 m . If s > i it follows that oq • • • cx.A i+M 
yields the same auxiliary bits as aiOAi • • • and that aqaAi • • • Q.a s+m yields the same 
auxiliary bits as aiOAi • • • atA s ■ Let us now assume that s < i. By deleting i — s sets of type 
7 from the state reached after a\aA x ■ ■ ■ &Ai and oqaAi ■ • • cx.A i+M , we obtain states with 
identical auxiliary bits and s and s + AI sets of type 7, respectively. The claim then follows 
by adding back a 2 to the sequences cqaAi ■ ■ ■ ua b and aqoiAi • • ■ Qa s+M i respectively. This 
completes the proof. ◄ 


14 It should be noted here, that the overall number of set types is finite and only depends on the signature 
of V. 

5 Note that a has the form a\a■ ■ ■ otA s & 2 - 
16 Here, i — 0 corresponds to the sequence au. 
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4.3 The impact of built-in orders 

A closer inspection of the proof that the emptiness problem is undecidable for consistent 
DYNFO(l-in, 2-aux)-programs (Theorem |4.4| reveals that the construction only requires one 
binary auxiliary relation: a linear order on the “active” elements. The proof would also 
work if a global linear order on all elements of the domain would be given. We say that a 
dynamic program has a built-in linear order , if there is one auxiliary relation R < that is 
always initialized by a linear order on the domain and never changed. Likewise, for a built-in 
successor relation. 

That is, the border of undecidability for consistent DYNFO-programs actually lies between 
consistent DYNFO(l-in, l-aux)-programs and consistent DYNFO(l-in, l-aux)-programs with 
a built-in linear order. Similarly, the border of undecidability for (not necessarily con¬ 
sistent) DYNPROP-programs actually lies between DYNPROP(l-in, 1-aux)-programs and 
DYNPROP(l-in, l-aux)-programs with a built-in linear order. 

► Proposition 4.11. The emptiness problem is undecidable for 


(a) consistent DynFO(1-ot, 1-aux)-programs with a built-in linear order or a built-in successor 
relation, 

(b) T)YNT?ROP(l-in,l-aux)-programs with a built-in successor relation. 


Proof, (a) The only binary auxiliary relation used in the proof of Theorem 4.4 was to 
simulate a linear order on the domain. This is not necessary any more, if the linear order is 
available. The linear order can easily be replaced by a built-in successor relation. 

(b) We adapt the proof of Theorem 4.2 (b) and use the successor relation instead of the list 
relations, which are the only binary auxiliary relations. The first modification touches an 
element that is then marked as the first and last element of both lists. We then demand that 
an insertion to C, inserts the element that is marked as last and a deletion from C, deletes 
the predecessor of the last element. This can be checked and the marking of the last element 
can be updated without the use of quantifiers. A relation C) is empty after the element that 
is marked as first is deleted from C, . 


However, for dynamic programs that only have auxiliary bits, linear orders or successor 
relations do not affect decidability. 

► Proposition 4.12. The emptiness problem is decidable for 

(a) consistent DynFO(1-ot, 0 -aux)-programs with a built-in linear order or a built-in successor 
relation, 

(b) DynProp(1-zti, 0-aux)-programs with a built-in linear order or a built-in successor rela¬ 
tion. 

Proof, (a) Let V be a consistent program over unary input relations that uses only 0-ary 
auxiliary relations and a built-in linear order. In [HI Theorem 3.1] it is showrp] how to 
construct an existential monadic second order formula ip such that there is a modification 
sequence a with P Q (2?0) is accepted by V if and only if a{D®) |= ip. By Q], the formula ip 
describes a regular language over the proper 7i n -colors (7^ Co). Hence an equivalent finite 
state automaton can be constructed. For finite automata the emptiness problem is decidable, 
so the claim follows. 
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We note that the setting in that paper assumes a built-in linear order. 
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(b) This statement simply follows from the decidability of the emptiness problem for 
DYNPROP(l-in, l-aux)-programs (Theorem |4.3[ ) and the fact that the update formulas of 
DYNPROP(l-in, 0-aux)-programs only have one variable and therefore can not use a linear 
order or a successor relation in a non-trivial way. 

◄ 


5 The Consistency Problem 

In Section [472] we studied Emptiness for classes of consistent dynamic programs. It turned 
out that with this restriction the emptiness problem is easier than for general dynamic 
programs. One might thus consider the following approach for testing whether a given 
general dynamic program is empty: Test whether the program is consistent and if it is, use 
an algorithm for consistent programs. To understand whether this approach can be helpful, 
we study the following algorithmic problem, parameterized by a class C of dynamic programs. 

Problem: Consistency(C) 

Input: A dynamic program V € C with FO initialization 
Question: Is V a consistent program with respect to empty initial databases? 

We will see that the mentioned approach does not give us any advantage, as deciding 
Consistency is as hard as deciding Emptiness for general dynamic programs. It is not very 
surprising that Consistency is not easier than Emptiness, since deciding Emptiness boils 
down to finding one modification sequence resulting in a state with particular properties 
and CONSISTENCY is about finding two modification sequences resulting in two states with 
particular properties. This high level comparison can actually be turned into rather easy 
reductions from Emptiness to Consistency. 

On the other hand, Consistency can also be reduced to Emptiness. For this direction 
the key idea is to simulate two modification sequences simultaneously and to integrate their 
resulting states into one joint state. This is easy if quantification is available, and requires 
some work for DYNPROP-fragments. We first give a technical lemma to restrict the kind of 
modification sequences that have to be considered to decide CONSISTENCY. 

For this, we use the notion of innocuous transformations. Intuitively, an innocuous 
transformation 9 of a modification sequence a is a minimal change of a that results in a 
modification sequence 6(a) which leads to the same underlying database as a. Formally, an 
innocuous transformation is either (1) a permutation of a subsequence 8182 to 8281 under 
the condition that if one modification is iNSs(a) then the other one is not dels (a), (2) the 
removal of a subsequence iNSs(a)DELs(a) if a is not contained in S when this subsequence 
is applied, (3) the removal of a modification 8 = iNSs(a) or 8 = DELs(a) if a is already 
contained in S respectively a is not contained in S when the modification is applied, or (4) 
the inverse of one of these transformations. It is clear that under the given conditions, for an 
innocuous transformation 9 of a modification sequence a it holds that a('D$) = 6(a)(Vqf). 

► Lemma 5.1. Let V be an inconsistent dynamic program. Then there is a modification 
sequence a, an innocuous transformation 9 of a and an empty database V® such that the 
query relations in TffVqf) and P@(a)(^0) differ. 

Proof. As V is inconsistent, there are two modification sequences a and a 1 that lead to the 
same input database 1 but to states with different query relations. It is easy to see that 
a' = 9 1 • • • 9m(cx) where each 9i is an innocuous transformation of 9\ ■ ■ ■ 9i-i(a): From a and 
a' we can obtain a common insertion sequence a" by applying innocuous transformations 




24 


Static Analysis for Logic-Based Dynamic Programs 


of type (l)-(3), the inverses of the latter sequence of transformations then yields a' from 
a". As a and a' lead to states with different query relations there must be an i such that 
a* = 0i • • • 0,;_i(a) and 9i(a*) lead to states with different query relations. ◄ 


We now give the reductions between Consistency and Emptiness. 

► Theorem 5.2. Let t > l,m > 0. 


(a) For every C £ {DynFO(Aot, m-aux), DynFO(Aot), DYNFO(m-aMa;), DynFO}, 

(i) Emptiness(C) < Consistency(C), and (ii) Consistency(C) < Emptiness(C). 

(b) ForeveryC £ {DynPhop(£-ot, m-aux), DynProp(£-ot), DYNPHOP(?n-awa:), DynProp}, 
(i) Emptiness(C) < Consistency(C), and (ii) Consistency(C) < Emptiness(C). 


Proof. For (a)(i) and (b)(i), we construct dynamic programs whose query relations are 
inflationary, that is, tuples that are inserted once are never removed afterwards. When an 
update adds a tuple and the modification that caused that update is undone, the two states 
that are reached after these updates are witnesses to inconsistency. 

For (a)(ii) and (b)(ii), the constructed dynamic programs simulate two independent 
modification sequences and maintain two states of the original program. For (a)(ii), the 
program uses quantification to determine whether the two states represent equal input 
databases but different query relations. For (b)(ii) we use that thanks to Lemma 5.1 it 


suffices to simulate one modification sequence and at one point one innocuous transformation 
to find witnesses for inconsistency, so the two maintained states always represent equal input 
databases. 


(a)(i) For a given DYNFO(Ain, m-aux)-program V over schema (ri n , r aux ) with query symbol 
Rq we construct a DYNFO(Ain, m-aux)-program V' over (ri n , T aux U{f?g}) with query symbol 
R'q. The idea is to initialize R'q as empty and add the tuples in Rq to Rq with a delay 
of one modification. No tuple gets removed from R'q. The update formulas for R'q are 

</>^ e (x; y) = Rq{v) V The update formulas for relations from r aux are copied from V. 

If V is empty, then R'q = 0 in every reached state S and V is consistent. If V is 
non-empty, then let a be a shortest modification sequence such that R^^^ is non-empty 
and let a* = act' be a modification sequence that leads to the same input database as a. It 
follows that the query relation R'q differs in and V' a *i(D^) and V is inconsistent. 

(a) (ii) If V is a given DYNFO^-in, m-aux)-program, we construct a DynFO (Ain, m-aux)- 
program V' that simulates two modification sequences of V in parallel and maintains two 
states of this program. If the input databases of theses states are equal, a tuple is added to 
the query relation of V' if it is included in exactly one of the two maintained query relations 
of V. 

If V is over schema (ri n , r aux ), then V' is over schema (r[ n , r aux ) where r/ n = {S', S' \ S £ 
r in } and r{ ux = {S, R' R £ r aux } U {Sg}. The query relation of V is Rq. The update 
formulas of relations R £ r aux are the same as in V, for relations R' £ r aux the update 
formulas are obtained from the original formulas by replacing every relation symbol S £ Ti n 
or R £ r aux by S' or R', respectively. The update formulas for R*q first check if the two 
maintained input databases are equal by using conjunctions of formulas \/x(S(x) -£>■ S'(x)) 
for every S £ r in and then inserts a tuple if it is in exactly one of the query relation Rq of V 
and its copy R'q. V is consistent if and only if V’ is empty. 

(b) (i) Analogous to (a)(i). 
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(b) (ii) We adapt the idea of part (a) (ii) with the help of Lemma |5d| For a DYNPROP(t'-in, m-aux)- 
program V over schema (Ti n ,T aux ) we sketch the construction of a DYNPROP(f?-in, m-aux)- 
program V' over schema (r/ n , t' ux ). Like in part (a)(ii), this program simulates two modific¬ 
ation sequences of V and maintains two auxiliary databases over r aux , but only one input 
database over Ti n . Contrary to (a)(ii), V' either simulates the effects of one modification 
to both auxiliary databases or, exactly once, a subsequence (of length at most 2) and an 
innocuous transformation of this subsequence. It follows that the input databases are equal 
for both simulated modification sequences after every simulated modification and so V only 
has to check whether there are tuples that are included in exactly one copy of the original 
query relation. 

We now sketch the construction of V. Like in part (a)(ii), r aux contains relation symbols 
R, R' for every R £ T aux . Also all relation symbols from 7i n are contained in r[ n . Additionally, 
r/ n contains relation symbols Us, Is and Ts,T' s for every S £ Ti n to simulate subsequences 
and their innocuous transformations. Us is for simulating an unnecessary modification. 

If a modification INS[/ S (a) is applied to V', the update formulas check that a is already 
contained in S. If this check fails, V' sets an error bit. Otherwise, V' simulates V for 
the modification iNSg(a) on the second copy of the auxiliary database. Analogously for a 
modification DEL(/ S (a). When a modification INS/ S (a) occurs, V simulates V for the sequence 
iNSs(a)DELs(a) on the second copy, if a is not contained in S before. Otherwise, V sets an 
error bit. A sequence iNST s (a)lNS T ^ (6 )del t ^ (6 )del Ts (a) is used to simulate the sequence 


iNSs(a)DELg/(f)) on the first copy of the auxiliary database and the sequence del^/( fe)iNSs(a) 
on the second copy, likewise for other combinations of insertions and deletions. Some 
additional auxiliary bits are used to check that four modifications like this happen in a row 
and that they do not represent the insertion of a tuple to a relation and the deletion of that 
tuple from the same relation. We use additional auxiliary bits to maintain whether exactly 
one innocuous transformation has been simulated. For every modification over relation 
symbols from r in , both copies of the auxiliary database get updated according to the original 
program V. 

It follows from Lemma 5.1 that it is possible for V' to reach a state where the copies Rq 
and R'q of the query relation of V differ and no error bit is set if and only if V is inconsistent. 
A tuple is inserted into the query relation R*q of V' when no error bit is set and the tuple is 
in exactly one of Rq and R'q. So V is empty if and only if V is consistent. 


◄ 


6 


The History Independence problem 


As discussed in Section |4~2| it is natural to expect that a dynamic program is consistent, i.e., 
that the query relation only depends on the current database, but not on the modification 
sequence by which it has been reached. Many dynamic programs in the literature satisfy a 
stronger property: not only their query relation but all their auxiliary relations depend only 
on the current database. Formally, we call a dynamic program history independent if all 
auxiliary relations in V a (T>) only depend on a{T>), for all modification sequences a and initial 
empty databases T>. History independent dynamic programs (also called memoryless |21l or 
deterministic 0) are still expressive enough to maintain interesting queries like undirected 
reachability m, but also some lower bounds are known for such programs 0H3J [233- 

in this section, we study decidability of the question whether a given dynamic program is 
history independent. 
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Problem: HistoryIndependence(C) 

Input: A dynamic program V € C with FO initialization 

Question: Is V history independent with respect to empty initial databases? 

Note that contrary to the emptiness problem, HistoryIndependence is not easier for 
classes of consistent dynamic programs than for classes of general dynamic programs, so 
we will not study this restriction. This is because for every dynamic program V we can 
construct a consistent dynamic program V' that is history independent if and only if V is, 
by introducing a new query bit that is not changed by any update formula. 

Not surprisingly, HistoryIndependence is undecidable in general. This can be shown 
basically in the same way as the general undecidability of Emptiness in Theorem |4.1| 

► Theorem 6.1. HistoryIndependence is undecidable for T)YNFO(2-in,0-aux)-programs. 

Proof. Again we reduce from the satisfiability problem for first-order logic over schemas 
with at least one binary relation symbol. For a given FO-formula ip, at first we construct the 
dynamic program V from the proof of Theorem |4.1[ Additionally we add a second auxiliary 
bit B which is initialized as false and set to true when Acc is first set to true by an update, 
and never set to false again. If ip is not satisfiable, then all bits remain false and V is history 
independent. If p> is satisfiable, then let aS be a shortest modification sequence applied to 
an empty database T>$ such that Acc and B are set to true in V^D®). Let J _1 be the 
modification that undoes S. Then B is false in V a (D g) and true in Pa^-i (T’g), but the 
respective input databases are equal. So V is not history independent. ◄ 


However, in the following we will see that the precise borders between decidable and 
undecidable fragments are different for HistoryIndependence than for Emptiness and 
Emptiness for consistent programs. More precisely, we will show that HistoryIndepend¬ 
ence is decidable for DynFO- and DYNPROP-programs with unary input databases, and 
for DYNPROP-programs with unary auxiliary databases. 

We recall the normal form for insertion sequences introduced in Section [3j For dynamic 
programs with unary input databases, insertion sequences in normal form (1) color each 
element contiguously and (2) apply the insertions for each Ti„-color in the same order. Here 
we require further that they first color all elements with designated Ti n -color ci, then all 
elements with C 2 and so on. 

We will first show that to judge HistoryIndependence of DYNFO(l-in)-program only 
modification sequences in normal form (Lemma |6.2| ) and states with a particular property 
(Lemma 6.31 need to be considered. Finally, we show that if a dynamic program is not 
history independent, this can be observed already for domains of a bounded size in the size of 
the program (Proposition |6.7| . The decision algorithm then tests all states over such “small” 
domains reached by insertion sequences in normal form in a brute-force manner. 

Let V be a DYNFO(l-in)-program over schema t = r in U r aux . Throughout this section 
we assume that r contains only at least unary relation symbols and no input or auxiliary 
bits to ease presentation. This is no real restriction, as these bits can easily be simulated by 
unary relations when quantification is allowed. We usually denote the maximum quantifier 
depth of (initialization and update) formulas by q , the maximum arity of aux-relations by m, 
and the number of input relations by £. Further we write L for 2 e — 1 and let Co,... ,cl be 
the Ti n -colors, where cq is the color of the Ti n -uncolored elements. In the following we write 
“colors” and “uncolored” instead of r in -colors and r in -uncolored. 

We next present a characterization of history independence which is well-suited to 
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algorithmic analysis. We call a state S over domain D locally history independen^\ior a 
dynamic program P if the following three conditions hold. 

(HI) Vs 1 8 2 (S) = Vs 2 s 1 (S) for all insertions Si and 62 - 

(H2) S = P IN s R (fl)D E L R (a)(^) if a i R s , for all R £ T in and a over D. 

(H3) S = Pms R (a)(S) if a € R s and S = P BELH (Z)(S) if a £ R s , for all R £ r- m and a over D. 
► Lemma 6.2. Let V be a dynamic program. 

(a) V is history independent if and only if every state reachable by V via insertion sequences 

is locally history independent. 

(b) If V is a DynFO(1 -in)-program, then V is history independent if and only if every state 

reachable by V via insertion sequences in normal form is locally history independent. 

Proof, (a) (only-if) It is easy to see that local history independence for all reachable states 
is necessary for history independence. 

(if) Assume, towards a contradiction, that there is a dynamic program V, for which every 
state reachable by an insertion sequence is locally history independent, but V is not history 
independent. Then there are two modification sequences ol\ and a 2 to an empty database 
T>i with aiiVfl) = a 2 (Vq) but P ai (P(t) 7 ^ Pa We construct insertion sequences ot\ 
and a ' 2 that lead to the same state as oq and a 2 , respectively. Repeated application of (HI) 
then yields P^iPn) = P a ' 2 (Pn)) and altogether P ai (X> 0 ) = ^(£> 0 ) = Pa' 2 (Pn)) = Pa 2 {P<i), 
the desired contradiction. 

We only describe how to construct the insertion sequence from aq; the construction of 
a ' 2 from a 2 is completely analogous. Let thus oq = <5i • • • Sn and, for every i, we denote by 
Si = Psi-sM- 

A modification is bad if it is a deletion or the repeated insertion of a fact. The insertion 
sequence a[ is constructed by successively eliminating all bad modifications from aq. If 
aq does not contain any bad modification, we are done. Otherwise, let 5k be the first 
bad modification in aq. Since 5\ ■ ■ ■ 5k -1 is an insertion sequence, by our assumption Sk-i 
is locally history independent. Therefore, 5k can be eliminated from c*q as follows. If 
5k = DELfl(a) such that a ^ I? 5 '' -1 or 5k = iNSfl(a) such that a £ R Sk ~ 1 then Sk = Sk-i 
thanks to (H3) and 5k can be removed from aq without affecting the resulting state. If 
5k = del n(a) such that a £ R‘ Sfc - 1 , then there must be an insertion iNSfl(a) in <5i • • • 5k- 1 . 
By (HI) the insertions 5 1 • • • 5k -1 can be rearranged into a sequence /3lNSfl(a), such that /? 
consists of all modifications from Aq • • • 5k -1 besides lNS#(a) and the resulting state is Sk- 1 - 
By (H2), the modification sequences /3 and /3lNS_R(a)DELfl(a) yield the same state, but /? has 
fewer deletions than <5q • • • 5k- The modification sequence o! x is obtained by repeating this 
procedure. 

(b) (only-if) Again, local history independence for all reachable states is necessary for history 
independence. 

(if) Let P be a dynamic program for which every state reachable via a insertion sequence 
in normal form is locally history independent. We show that every state reachable by an 
insertion sequence is also reachable by a normal form sequence. That P is history independent 
then follows from (a). 

We thus assume, towards a contradiction, that there is an insertion sequence a = 5\ ■ ■ ■ 5pj 
and an empty database T>i such that S = P a {Dt) is not reachable by any insertion sequence in 


’We define this term for arbitrary input arity, since the first part of Lemma 6.2 holds in general. 
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normal form. Let a and Pg be chosen such that N is minimal. Therefore, S' = Vs 1 ... 5 N _ 1 ('Dqf) 
can be reached by a normal form modificatiorp^j sequence a' = and, by our 

assumption, S' and all prior states reached by prefixes of a' are locally history independent. 
By inductive application of (HI), <5 tv can now be moved to its appropriate place inside a' 
to yield a normal form sequence a" equivalent to a. Therefore, S is reachable by a normal 
form sequence, the desired contradiction. 

◄ 

We next define another property that reachable states of history independent programs 
share. A state S is homogeneous if all tuples a and b with the same (atomic) r in -type also 
have the same (atomic) r aux -type. For every homogeneous state S we denote by f$ the 
(atomic) type function that maps every (atomic) r in -type of arity m (the maximal arity of r) 
to the corresponding (atomic) T aux -typep^| The following lemma is an immediate consequence 
of [5J Lemma 16]. 

► Lemma 6.3. For every history independent DynFO( 1-in) -program, every reachable state 
is homogeneous. 

We call a state of a DYNFO(l-in)-program that is not homogeneous or not locally history 
independent a bad state. That a state is bad can be expressed in first-order logic. Likewise 
the possible effects of coloring a single uncolored element on the type function of a state 
can be expressed by first-order formulas. To state this more precisely, we use type forecast 
functions F : {1,..., L} —» F, where T is the set of possible type functions for V. 

► Lemma 6.4. Let V be a T>YNFO(l-in,m-aux)-program with maximum quantifier-depth q 
and £ input relations. 

(a) There is a formula tpbad of quantifier-depth at most 3 + 2m + (£ + l)g that is true in a 
state S if and only if V a {S) is bad for at least one modification sequence a that colors a 
single uncolored element of S. 

(b) For every type forecast function F there is a formula of quantifier depth 1 + m + £q 
that is true in a homogeneous state S if and only if, for every i < L, V a (S) has type 
function F(i) if a colors some uncolored element with Ci. 

Proof, (a) The formula is of the form 

L 

3x \J (cp\ V i p \), 

i=1 

where <p\ expresses that the state that results from coloring an uncolored element by Ci is 
not homogeneous and expresses that it is not locally history independent. 

To this end, <p\ existentially quantifies two ?n-tuples (depth: 2m) and expresses that they 
have the same im-type but different T aux -types in the state after the coloring (depth: £q). 

The formula is a three-fold disjunction for the conditions (Hl-3). As an example, the 
formula for (HI) quantifies two elements a, a' (depth: 2), an m-tuple (depth: m) and tests 
that for some color Cj the r aux -types of the two databases resulting from the two possible 
orders in which a and a' can be colored by Ci (depth: 2 q) differ in the m-tuple. 

Altogether, c/Jbad has quantifier-depth 1 + max(2?n + tq, 2 + m + 2q) < 3 + 2m + (£ + l)q. 


19 Of course, insertion sequences yielding the same state have the same length. 
20 If there is no tuple a of an Tin-type c in S, then fs(c) = Y 
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(b) Similarly, each formula ipp existentially quantifies an element a to be colored, has a 
disjunct for all possible colors, and universally quantifies an m-tuple and tests that the 
Taux-type of it is consistent with its T; n -type and F. Overall this yields quantifier depth 
1 + m + iq. 

◄ 


We next formalize the observation that for a homogeneous state, the truth of first-order 
formulas of quantifier depth k only depends on its color frequencies up to To this end, 
we associate with every state S its characteristic input vector fi ln (S) = (no, ■ ■ ■ ,til) over N 
where n,; = n* n (5) is the number of elements with r in -color Ci in S. 

We write n m, for numbers k, n, to, if n = m or both n > k and to > k. We write 
(n 0 ,..., n L ) (n'o ,..., n' L ), if for every i < L, m n'. 

For a given k, we say that two homogeneous states S and S' are k-similar (denoted by 
5 S') if 

- n in (S) n in (S') and 
h S and S' have the same type function. 

Now we can make the relationship between characteristic input vectors and first-order 
types more precise P3 

► Lemma 6.5. Let V be a DynFO(1 -in, m-aux)-program and let S and S' be two homogen¬ 
eous states for V. For every k £ N, if S S' then S =k S'. 

We recall that S =k S' means that the two states satisfy exactly the same first-order formulas 
of quantifier depth (up to) k. 

Proof. If S S' then the duplicator has a straightforward winning strategy for the k -round 
Ehrenfeucht-Fraisse game on the r in -reducts of S and S'. Since both states are homogeneous 
and have the same type function, this winning strategy extends to r aux and the strategy of 
duplicator is a winning strategy for S and S'. ◄ 

By combining Lemmas |6.4| and |6.5| we get the following lemma, which will be the most 
important technical tool in the proof of a small counterexample property for programs that 
are not history independent. 

► Lemma 6.6. Let V be a DynFO(1-ot, m-aux)-program with maximum quantifier-depth q 

and £ input relations, let K > 1 + m + £q and let S and S' be two homogeneous states for V 
with S S'. Let a and a' be uncolored elements in S and S' , respectively. Let /? and /3' be 

insertion sequences that color a and a!, respectively with the same color Ci. Then Vp(S) and 
*Pp' (S') have the same type function, in case they are both homogeneous. 

Proof. By Lemma |6.5[ we know that S =k S'. In particular, thanks to Lemma 
homogeneity of Vp(S) and Vp'(S'), there is a unique type forecast function F such that ipp 
holds in S and S'. Therefore, after coloring a and a' with Ci the resulting states both have 
type function F(i). ◄ 

Now we can show a small counterexample property for programs that are not history 
independent. 


6.4 and the 


4.5 


21 Note the similarities to Lemma 

22 We note that for homogeneous states it actually holds: S 


S' if and only if S =k S'. 
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► Proposition 6.7. Let V be a DynFO(1 -in, m-aux)-program with quantifier depth q and I 
input relations, and let K = 3 + 2m + (£ + l)q and T be the number of type functions. If V is 
not history independent, then there exists a database T>i of size at most N = (2K + T)(L + 1) 
and a insertion sequence in normal form a such that ValfDqf) is bad. 

Proof. Let V be a dynamic DynFO (1-in, m-aux)-program that is not history independent 
and let T> @ be an empty database of minimal size n for which there exists a insertion sequence 
in normal form oq • • • a n, such that V a {Dqf) is bad, each subsequence aq colors one element, 
and N is minimal. 

We consider the state S = V ai ... aN _ 1 ('Di/)) just before the bad state. Thus S satisfies the 
formula <pbad from Lemma |6.4| 

Let (no,..., ni) = n ln (<S). We show first that, for every i > 1, n* < 2K + T. Towards a 
contradiction, let us assume that for some i > 1, nt > 2K + T. 

Let a' = Pa[ • • • a' n . be a reordering of aq • • • ax-i such that a[, ..., a' n . are insertion 
subsequences that color the ni elements with color Ci and /3 contains all other insertions. 
By minimality of N, all involved states are locally history independent and therefore the 
reordering does not affect the resulting state, i.e. , Vp a ' ... a i (£> 0 ) = S. 

We denote, for every j < n j, the state Vp a ' i ... a ’, (V®) by Sj and its type function by 
We can conclude that Sj Sj>, for all K < j < j' < n, — K — 1, since 

h in Sx, there are more than K + T uncolored elements and K elements of color Cj, 
m cx ' K+1 • ■ • a' n _ K _ ± only colors uncolored elements with color Cj, and 
h in S ni -K-i there are still more then K uncolored elements. 


Since there are more than T states between Sk and S ni —K—h two of them must have 
the same type function. That is, there must be ji, J 2 with K < j 1 < j 2 < n, — K — 1 and 
fj, = fj 2 and therefore Sj 1 Sj 2 - 

Let be the empty database resulting from by deleting all elements that are 
colored by the sequence o;' 1+1 • • • a' 2 . Since V has more than j 1 + K > K > q elements, 
5 i nit (I? 0), in particular these two states have the same type functions. By 


inductive application of Lemma 6.6 it is easy to show that Vp 


J K 


p «;• 


m. 


In the inductive step, we start from two corresponding states whose ~ic-equivalence has 
already been established. In particular, they agree on all formulas <pp and therefore the 
application of the same one element coloring sequence yields for both the same type function, 
thanks to Lemma |6.6| and because the reached states are homogeneous by minimality of n 
and N. Since the number of elements for each (proper) color is the same in both new states 
and both have more than K uncolored elements, they are also equivalent with respect to — k ■ 


For each j with j 2 < j < N - 1 let S'- = P / 3 a ' 1 -a' i a' 2+1 -Q ! ' (Dq). 

We emphasize that, for every j, n ln (Sj) and n ln (Sj) only differ in their entry for color 
Ci (which for both is at least K ). In particular, they have the same number of uncolored 
elements. 

Thus, Sj 2 Sj, Sj 2 and therefore, as before, S'- 2 and Sj 2 agree on all formulas ipp. 
It follows that the two states S' 2+1 and S )2+ i obtained by the sequence a' 2+1 again have 
the same type function. As they both have at least K uncolored elements and at least K 
elements with color Cj (and agree on all other color frequencies), we get S' 2+1 Sj 2 +i- An 
inductive application of the same argument yields S ' N _ 1 Sjv-i = S. Since S (= tpba.A 
we conclude S ' N _ 1 |= ipba.d and thus S , N _ 1 is a bad state. As S ' N _ 1 can be reached by fewer 
insertions than S we get the desired contradiction and thus n 7 ; < 2 K + T, for all* > 1. 



T. Schwentick, N. Vortmeier, T. Zeume 


31 


We finally show that no < K. Otherwise, if no > K , we could replace Pg by the empty 
database Pg in which one element that is uncolored in S is removed. Similarly as before 
it would follow that P ai —a N -i (P@) 'Pa 1 ---a N - 1 (P > ti) and therefore that V ai ... aN _ i(Pg) 

satisfies </?bad and is therefore bad, contradicting the choice of Pg. This completes the proof 
of the proposition. ◄ 

We can now conclude the main result of this section. 

► Theorem 6.8. HistoryIndependence is decidable for DynFO(I-ot)- programs. 

Proof. It follows immediately from Proposition |6.7| that Algorithm [l] is a correct decision 
algorithm for HistoryIndependence of DYNFO(l-in)-programs. 

Algorithm 1 Deciding HistoryIndependence for DYNFO(l-in)-programs 

Input: A DYNFO(l-in, m-aux)-program V with i input relations and quantifier depth q. 

1 : Let K , L and T be as in Proposition |6.7| 

2 : for all empty databases Pg over domains {1,..., n} with n < (2K + T)(L + 1) do 

3: for all normal form insertion sequences a over {1,..., n} do 

4: if P a (Pg) is not homogeneous or not locally history independent then Reject. 

5: end for 

6: end for 
7: Accept. 


Using the same technique as used in the proof of Theorem 4.7 b), history independence 
can be shown to be decidable for DYNPROP(l-aux)-programs. 

► Theorem 6.9. HistoryIndependence is decidable for DYNPROP(l-aw:r) -programs. 

Proof. Let V be a DYNPROP(f-in, l-aux)-program for some f G N. Recall that, according to 
Lemma |6.2| for testing history independence it suffices to check that no non-locally history 
independent state can be reached by an insertion sequence in normal form. We argue that 
if a non-locally history independent state can be reached by P, then such a state with few 
tuples in the input relations can be reached as well. History independence can then be tested 
in a brute force manner by trying out insertion sequences for all input databases with few 
tuples. 

Suppose that S is a non-locally history independent state reachable by V such that 
the number N of tuples in input databases of S is minimal. In particular, V is history 
independent for input databases with less than N tuples, that is, all modification sequences 
a and a' yielding an input database with less than N tuples also yield the same state. Let a 
be an 2£-ary tuple that witnesses that S is not locally history independent, i.e. there are 
two modifications on a that contradict (HI), (H2) or (H3). Further let 7 be the atomic type 


of a. Now, using the same argument as in the proof of Theorem 4.7 as well as the history 
independence of V for databases with less than N tuples, one can show that for exhibiting a 
tuple of type 7 the number N of input tuples does not have to be large. ◄ 


7 Conclusion 

In this work we studied the algorithmic properties of static analysis problems for (restrictions 
of) dynamic programs. Most of the results are summarized in Table [l] In general only very 
strong restrictions yield decidability. 









32 


Static Analysis for Logic-Based Dynamic Programs 


The only cases left open are about DYNPROP-programs when both the arity of the input 
and the arity of the auxiliary relations is at least 2. For such programs the status of history 
independence and emptiness of consistent remains open. We conjecture that for history 
independence the decidable fragment of DynProp is larger than exhibited here. 

Our results will hopefully contribute to a better understanding of the power of dynamic 
programs. On the one hand the undecidability proofs show that very restricted dynamic 
programs can already simulate powerful machine models. It is natural to ask whether 
this power can be used to maintain other, more common queries. On the other hand the 
decidability results utilize limitations of the state space and the transition between states 
for classes of restricted programs. Such limitations can be a good starting point for the 
development of techniques for proving lower bounds for the respective fragments. 
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